检测SoftIce的几种方法(英文)

最新推荐文章于 2020-06-23 22:52:37 发布

Hades1996

最新推荐文章于 2020-06-23 22:52:37 发布

阅读量1.4k

点赞数

分类专栏：小程序/软件逆向分析

小程序/软件逆向分析专栏收录该内容

15 篇文章

订阅专栏

本文介绍了检测SoftICE调试器的四种方法，包括通过尝试打开由SoftICE创建的虚拟设备、利用int3指令与调试器通信、通过int3指令发送命令以及调用特定的中断函数来判断SoftICE是否存在。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

12.15.1 Problem

SoftICE is a ring0 debugger that cannot be detected using standard debugger detection techniques.

12.15.2 Solution

Numega's SoftICE debugger is a kernel-mode debugger intended for debugging device drivers and Windows itself. It is favored by software protection crackers because of its power. Four well-known methods for detecting the presence of SoftICE exist, which are detailed in Section 12.15.3.

12.15.3 Discussion

The "Meltice" technique is one of the oldest methods for detecting SoftICE. It attempts to open virtual devices created by SoftICE; if any of these devices exist, the debugger is present.

#include <windows.h>
   
BOOL spc_softice_meltice(void) {
  HANDLE hFile;
   
  hFile = CreateFile(TEXT("\\.\\SICE"), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
  if (hFile =  = INVALID_HANDLE_VALUE)
    hFile = CreateFile(TEXT("\\.\\NTICE"), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
  if (hFile =  = INVALID_HANDLE_VALUE)
    hFile = CreateFile(TEXT("\\.\\SIWDEBUG"), GENERIC_READ, 0, 0, 
                                           OPEN_EXISTING, 0, 0);
  if (hFile =  = INVALID_HANDLE_VALUE)
    hFile = CreateFile(TEXT("\\.\\SIWVID"), GENERIC_READ, 0, 0, OPEN_EXISTING, 0, 0);
  if (hFile =  = INVALID_HANDLE_VALUE) return FALSE;
  CloseHandle(hFile);
  return TRUE;
}

SoftICE provides an interface via the debug breakpoint (int3) instruction that allows a process to communicate with the debugger. By loading a magic value ("BCHK") into the ebp register and executing an int3, the Boundschecker (originally the Numega Boundschecker utility) interface can be accessed. The function to be called is loaded into the eax register; function 4 will set the al register to 0 if SoftICE is present.

#include <windows.h>
   
_ _declspec(naked) BOOL spc_softice_boundschecker(void) {
  _ _asm {
      push ebp
      mov  ebp, 0x4243484B       ; "BCHK"
      mov  eax, 4                ; function 4: boundschecker interface
      int 3
      test al, al                ; test for zero
      jnz  debugger_not_present
      mov  eax, 1                ; set the return value to 1
      pop  ebp
      ret
    debugger_not_present:
      xor  eax, eax              ; set the return value to 0
      pop  ebp
      ret
  }
}

The int3 interface can also be used to issue commands to SoftICE by setting the esi and edi registers to magic values, then invoking function 0x911:

#include <windows.h>
   
char *sice_cmd = "hboot";
   
BOOL spc_softice_command(char *cmd) {
  _ _asm {
    push esi
    mov  esi, 0x4647     ; "FG"
    push edi
    mov  edi, 0x4A4D     ; "JM"
    push edx
    mov  edx, [cmd]      ; command (string) to execute
    mov  ax, 0x0911      ; function 911: execute SOFTICE command
    int 3
    pop  edx
    pop  edi
    pop  esi
  }
}

Finally, the presence of SoftICE can be detected by invoking function 0x43 of interrupt 0x68:

#include <windows.h>
   
_ _declspec(naked) BOOL spc_softice_ispresent(void) {
  _ _asm {
    mov ah, 0x43
    int 0x68
    cmp ax, 0xF386
    jnz debugger_not_present
    mov eax, 1
    ret
  debugger_not_present:
    xor eax, eax
    ret
  }
}

SoftICE detection and counterdetection is a continuously evolving field. Different versions of SoftICE have different memory footprints and runtime behavior that can be used to detect them; however, because most software protection crackers have modified their versions of SoftICE to foil known detection methods, it is advisable not to rely entirely on SoftICE detections for protection.